SAML + Keycloak: `required_groups` not recognized. Could `groups_attribute` be the problem?

I set up SAML to enable login for user configured in a keycloak instance which works like a charm. Next up was restricting access to GitLab to certain user groups.

I checked the documentation about required_groups and set it up accordingly (see below). Looking at the SAML response in production.log (see below) the groups are sent like they should. Still, GitLab creates users and/or logs them in.

As admin_groups doesn’t work as well, I guess there is something is wrong with my configuration of the groups_attribute.

Do you have any ideas?

My SAML settings from gitlab.rb.

Everything is setup according to the required_groups documentation. I tried moving group settings into the args object because I read that in some SO answer buy that did not work either.

gitlab_rails['omniauth_providers'] = [
  {
    name: 'saml',
    label: 'My Login',
    groups_attribute: 'roles',
    required_groups: ['gitlab_access'],
    admin_groups: ['gitlab_admin'],
    args: {
        ...,
        attribute_statements: {
            email: ['email'],
            nickname: ['last_name'],
            name: ['name'],
            first_name: ['first_name'],
            last_name: ['last_name'],
        },
    },
  }
]

SAML response from production.log

The groups look like they should according to the documentation and GitLab does correctly recognize email and name from these attributes.

<saml:AttributeStatement>
    <saml:Attribute FriendlyName="Roles" Name="roles" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">uma_authorization</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">offline_access</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account-links</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">view-profile</saml:AttributeValue>
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">manage-account</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute FriendlyName="Last Name" Name="last_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Langstrumpf</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute FriendlyName="First Name" Name="first_name" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">Pippi</saml:AttributeValue>
    </saml:Attribute>
    <saml:Attribute FriendlyName="Email" Name="email" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">langstrumpf@example.com</saml:AttributeValue>
    </saml:Attribute>
</saml:AttributeStatement>